From f69e30c0107ceff61296045cfd36ea0506d54186 Mon Sep 17 00:00:00 2001
From: Yasuyuki KOZAKAI <yasuyuki@netfilter.org>
Date: Mon, 11 Jun 2007 20:17:34 +0000
Subject: '-p all' and '-p 0' should be allowed. And actually ip6tables in
 kernel allows '! -p xxx' where xxx is extension header. It matches all valid
 IPv6 packets.

---
 ip6tables.c | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/ip6tables.c b/ip6tables.c
index 4510ba4a..e742631e 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -883,13 +883,11 @@ parse_protocol(const char *s)
 	return (u_int16_t)proto;
 }
 
-/* proto means IPv6 extension header ? */
+/* These are invalid numbers as upper layer protocol */
 static int is_exthdr(u_int16_t proto)
 {
-	return (proto == IPPROTO_HOPOPTS ||
-		proto == IPPROTO_ROUTING ||
+	return (proto == IPPROTO_ROUTING ||
 		proto == IPPROTO_FRAGMENT ||
-		proto == IPPROTO_ESP ||
 		proto == IPPROTO_AH ||
 		proto == IPPROTO_DSTOPTS);
 }
@@ -2062,10 +2060,11 @@ int do_command6(int argc, char *argv[], char **table, ip6tc_handle_t *handle)
 				exit_error(PARAMETER_PROBLEM,
 					   "rule would never match protocol");
 			
-			if (fw.ipv6.proto != IPPROTO_ESP &&
-			    is_exthdr(fw.ipv6.proto))
+			if (is_exthdr(fw.ipv6.proto)
+			    && (fw.ipv6.invflags & IP6T_INV_PROTO) == 0)
 				printf("Warning: never matched protocol: %s. "
-				       "use exension match instead.", protocol);
+				       "use extension match instead.\n",
+				       protocol);
 			break;
 
 		case 's':
-- 
cgit v1.2.3